Implemented beta controls
- Customer-scoped API keys use the
X-API-Keyheader. - Report list, read, update, delete, preview, execute, schedule, and usage paths enforce ownership.
- Admin operations require JWT role authorization.
- Query and report row counts are capped.
- Experimental providers are disabled unless explicitly enabled.
- REST provider calls reject unsafe endpoint shapes by default and stream bounded reads.
- Placeholder JWT secrets are rejected at startup.
- Release evidence includes dependency scans and warning-budget checks.
Data sovereignty
Teleza can be deployed as a Dockerized API with a static dashboard. For private-cloud or self-hosted enterprise pilots, the buyer can keep report data, database credentials, and generated documents inside their own environment.
This is a deployment posture, not a compliance certification.
Explicit non-claims
- No production-ready or enterprise-grade high-availability claim yet.
- No SOC 2, HIPAA, PCI, ISO 27001, or banking compliance certification claim.
- No durable enterprise scheduling claim without persistent scheduler and queue evidence.
- No trusted AI template-output claim.
Hosted beta review checklist
- Strict hosted deployment preflight evidence.
- CORS origins and JWT settings confirmed.
- Database provider and persistence path confirmed.
- OpenAPI and metrics exposure decisions captured.
- Backup, restore, rollback, logs, and alert evidence captured.